CVE-2026-43329 - Vulnerability Details

- netfilter: flowtable: strictly check for maximum number of actions

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: flowtable: strictly check for maximum number of actions

The maximum number of flowtable hardware offload actions in IPv6 is:

* ethernet mangling (4 payload actions, 2 for each ethernet address)
* SNAT (4 payload actions)
* DNAT (4 payload actions)
* Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing)
for QinQ.
* Redirect (1 action)

Which makes 17, while the maximum is 16. But act_ct supports for tunnels
actions too. Note that payload action operates at 32-bit word level, so
mangling an IPv6 address takes 4 payload actions.

Update flow_action_entry_next() calls to check for the maximum number of
supported actions.

While at it, rise the maximum number of actions per flow from 16 to 24
so this works fine with IPv6 setups.

Published: 2026-05-08

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability stems from the Linux kernel’s netfilter flowtable code not enforcing the correct maximum number of hardware offload actions for IPv6 packets. While the taxonomy limits the table to sixteen actions, legitimate IPv6 configurations can require seventeen or more – for example, ethernet address mangling, SNAT, DNAT, double VLANs, and redirects each consume multiple payload actions. The unchecked count allows a kernel buffer overrun, which can corrupt kernel memory or trigger a panic. Because this occurs in privileged kernel space, an attacker could cause a denial‑of‑service or, if an additional step is leveraged, potentially execute code with root privileges.

Affected Systems

All Linux systems running a kernel that implements netfilter’s flowtable offload for IPv6 traffic and has not yet integrated the fix that raises the limit to twenty‑four actions. The vendor indicated is "Linux:Linux", representing the Linux kernel itself; thus any distribution that includes the affected kernel version, regardless of distro name, is susceptible.

Risk and Exploitability

No CVSS rating is present, and the Exploit Prediction Scoring System (EPSS) score is unavailable, indicating no broad public exploitation data. The vulnerability is not listed in CISA KEV, suggesting it has not been observed in the wild. However, exploitation would likely require an attacker to craft network packets that deliver an oversized flowtable action list to the target. This is a network‑based attack vector. Given the kernel privilege context, the potential impact is large, so remaining unpatched systems could be at risk of a denial‑of‑service or, with further vulnerability exploitation, a privilege escalation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c29f74e0df7a02b8303bcdce93a7c0132d62577a`	affected	< ead66c77303f760f6c30be96e2e20d5a77cef614
`c29f74e0df7a02b8303bcdce93a7c0132d62577a`	affected	< fe9018d3e94329f1951b00805a8640bc06f56ead
`c29f74e0df7a02b8303bcdce93a7c0132d62577a`	affected	< 5382bb03e9c33b089d60788478b922a2dca284cc
`c29f74e0df7a02b8303bcdce93a7c0132d62577a`	affected	< 57c78bd2e2dd08897acd35b2bf8bcef322e36f5e
`c29f74e0df7a02b8303bcdce93a7c0132d62577a`	affected	< 504c9456699dcf4d15195ef34a0fa94a80bfc877
`c29f74e0df7a02b8303bcdce93a7c0132d62577a`	affected	< 879959a7a2be814dd57568655eafa3d8f4d0309e
`c29f74e0df7a02b8303bcdce93a7c0132d62577a`	affected	< 76522fcdbc3a02b568f5d957f7e66fc194abb893

Linux

affected

Version	Status	Constraints
`5.5`	affected	—
`0`	unaffected	< 5.5
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[c29f74e0df7a02b8303bcdce93a7c0132d62577a,ead66c77303f760f6c30be96e2e20d5a77cef614)`	affected	code_commit	—
`[c29f74e0df7a02b8303bcdce93a7c0132d62577a,fe9018d3e94329f1951b00805a8640bc06f56ead)`	affected	code_commit	—
`[c29f74e0df7a02b8303bcdce93a7c0132d62577a,5382bb03e9c33b089d60788478b922a2dca284cc)`	affected	code_commit	—
`[c29f74e0df7a02b8303bcdce93a7c0132d62577a,57c78bd2e2dd08897acd35b2bf8bcef322e36f5e)`	affected	code_commit	—
`[c29f74e0df7a02b8303bcdce93a7c0132d62577a,504c9456699dcf4d15195ef34a0fa94a80bfc877)`	affected	code_commit	—
`[c29f74e0df7a02b8303bcdce93a7c0132d62577a,879959a7a2be814dd57568655eafa3d8f4d0309e)`	affected	code_commit	—
`[c29f74e0df7a02b8303bcdce93a7c0132d62577a,76522fcdbc3a02b568f5d957f7e66fc194abb893)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.5`	affected	generic	—
`[0,5.5)`	unaffected	generic	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.168,6.2.0)`	unaffected	semver	—
`[6.6.134,6.7.0)`	unaffected	semver	—
`[6.12.81,6.13.0)`	unaffected	semver	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version containing the netfilter flowtable action‑limit patch, which raises the maximum to twenty‑four actions.
If a kernel upgrade cannot be applied immediately, disable flowtable hardware offload for IPv6 traffic by adjusting netfilter settings (e.g., clearing the relevant sysctl entries) or by applying configuration rules that exhaust the available action set before the offload path is used.
Monitor network traffic for anomalous packets that trigger unexpected large action lists, and enforce strict filtering on interfaces that may be exposed to untrusted traffic.

Generated by OpenCVE AI on May 8, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/504c9456699dcf4d15195ef34a0fa94a80bfc877
https://git.kernel.org/stable/c/5382bb03e9c33b089d60788478b922a2dca284cc
https://git.kernel.org/stable/c/57c78bd2e2dd08897acd35b2bf8bcef322e36f5e
https://git.kernel.org/stable/c/76522fcdbc3a02b568f5d957f7e66fc194abb893
https://git.kernel.org/stable/c/879959a7a2be814dd57568655eafa3d8f4d0309e
https://git.kernel.org/stable/c/ead66c77303f760f6c30be96e2e20d5a77cef614
https://git.kernel.org/stable/c/fe9018d3e94329f1951b00805a8640bc06f56ead

History

Fri, 08 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-680

Fri, 08 May 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: strictly check for maximum number of actions The maximum number of flowtable hardware offload actions in IPv6 is: * ethernet mangling (4 payload actions, 2 for each ethernet address) * SNAT (4 payload actions) * DNAT (4 payload actions) * Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing) for QinQ. * Redirect (1 action) Which makes 17, while the maximum is 16. But act_ct supports for tunnels actions too. Note that payload action operates at 32-bit word level, so mangling an IPv6 address takes 4 payload actions. Update flow_action_entry_next() calls to check for the maximum number of supported actions. While at it, rise the maximum number of actions per flow from 16 to 24 so this works fine with IPv6 setups.
Title		netfilter: flowtable: strictly check for maximum number of actions
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/504c9456699dcf4d15195ef34a0fa94a80bfc877 https://git.kernel.org/stable/c/5382bb03e9c33b089d60788478b922a2dca284cc https://git.kernel.org/stable/c/57c78bd2e2dd08897acd35b2bf8bcef322e36f5e https://git.kernel.org/stable/c/76522fcdbc3a02b568f5d957f7e66fc194abb893 https://git.kernel.org/stable/c/879959a7a2be814dd57568655eafa3d8f4d0309e https://git.kernel.org/stable/c/ead66c77303f760f6c30be96e2e20d5a77cef614 https://git.kernel.org/stable/c/fe9018d3e94329f1951b00805a8640bc06f56ead

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T13:31:17.479Z

Updated: 2026-05-08T13:31:17.479Z

Reserved: 2026-05-01T14:12:56.002Z

Link: CVE-2026-43329

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T14:16:42.520

Modified: 2026-05-08T14:16:42.520

Link: CVE-2026-43329

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T23:45:20Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object